The draft guidelines provide further clarification to the EDPB’s interpretation of legitimate interests, and suggest a potential divergence with the UK ICO.

By Gail Crawford, Fiona Maclean, Myria Saarinen, Tim Wybitul, Alice Brunning, and Calum Docherty

On 8 October 2024, the European Data Protection Board (EDPB) released draft Guidelines 1/2024 (the Guidelines) setting out its approach to processing personal data based on the “legitimate interests” legal basis in Article 6(1)(f) of the GDPR. The Guidelines

Understanding the ICO’s approach to assessing financial penalties should be a key element of an organisation’s data protection strategy and risk profile.

By James Lloyd and Sami Qureshi

In an era when data protection infringements can tarnish business reputations overnight, understanding the financial ramifications is more crucial than ever. The UK’s Information Commissioner’s Office (ICO) recently unveiled its much-anticipated updated guidance on the calculation of fines for data protection infringements under the UK General Data Protection Regulation (UK GDPR) and

The PDPL has broad extraterritorial scope and substantial penalties for non-compliance, with full enforcement expected to start in September.

By Brian A. Meenagh and Lucy Tucker

The Personal Data Protection Law (PDPL) is the first comprehensive data protection law in Saudi Arabia. The Saudi Data and Artificial Intelligence Authority (SDAIA) is expected to start full enforcement of the PDPL from 14 September 2024, after the current compliance transition period ends. SDAIA emphasised that it expects entities to take measures to achieve compliance with the PDPL by the September deadline.  

Companies subject to India’s new data protection law should assess practical implications.

By Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth

The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after:

  1. an independent agency responsible for enforcing the DPDPA — the Data Protection Board of India (the Data Protection Board) — is established; and
  2. the Indian government has framed the subordinate rules (which are expected to provide interpretative guidance on procedural steps and enforcement methodology).

The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.

The French Data Protection Authority imposed a €280,000 fine for GDPR infringements and a €100,000 fine for violation of French cookie rules.

By Myria Saarinen

On 11 May 2023 the French Data Protection Authority (the CNIL) handed down its decision on the health website Doctissimo, imposing a €280,000 fine for the infringement of four provisions of the GDPR and an additional €100,000 fine for the violation of Article 82 of the French Data Protection Act (the French Cookies Rule).

Founded in 2000 by medical doctors, Doctissimo is one of the most widely visited health and well-being websites in France, with the majority of visitors located in France and Belgium. The website hosts articles, tests, quizzes, and forums related to health and well-being.

By Ian Felstead, Gail Crawford, Serrin Turner, Tim Wybitul, and Hayley Pizzey[1]

The final decision of the Irish Data Protection Commission (IDPC) in relation to the transfers of EU/EEA Facebook user data by Meta Platforms Ireland Limited (Meta Ireland) to its processor, Meta Platforms, Inc., in the US (the Transfers)[2] was published on 22 May 2023 (IDPC Decision).[3]

The IDPC found that the Transfers, made pursuant to Standard Contractual Clauses (SCCs), did not comply with Article 46(1) GDPR, as the SCCs together with the supplementary measures implemented “do not compensate for the deficiencies in US law in issue”. The IDPC also found that the Transfers could not be made pursuant to any of the derogations under Article 49(1) GDPR. In particular, the IDPC concluded that the “contractual necessity” derogation could not be relied on by Meta Ireland “to justify the systematic, bulk, repetitive and ongoing transfers to the US”.

In light of these conclusions, the IDPC made an order suspending the Transfers (the Suspension Order).

The court determined that mere infringement of the GDPR is insufficient for a damages claim, but that there is no minimum threshold for non-material damages.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Floriane Cruchet, Camille Dorval, Charlotte Guerin, Lara Nonninger, and Hayley Pizzey

In a recent judgment (Case C-300/21), the Court of Justice of the European Union (CJEU) held that mere infringement of the General Data Protection Regulation (GDPR) is insufficient to claim compensation under Article 82, absent any material or non-material damage suffered by the individual. In relation to non-material damage, the CJEU rejected the concept of a minimum threshold level of damage or harm to the individual.

Article 82 of the GDPR states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation.

The CJEU’s judgment has the potential to encourage non-material damages claims — whether individual or collective — as it is clear that there is no de minimis threshold for such damages. However, the judgment also holds that mere GDPR infringement is an insufficient basis for non-material damages and therefore the claimant must prove that they suffered damage — albeit not to a standard, European Union-wide minimal threshold. Therefore, the specific impact of this judgment will vary across Member States, depending on applicable domestic law underpinning non-material damages claims more broadly.

Organisations must provide individuals with information on the specific recipients of their data upon request.

By Tim Wybitul, Isabelle Brams, Calum Docherty, and Amy Smyth

The Court of Justice of the European Union (CJEU) has ruled that organisations must generally disclose the specific identity of data recipients on request from an individual in order to give effect to the right of access. Organisations may only limit their response to the mere categories of recipients if they cannot identify the specific recipients or if the request is manifestly unfounded or excessive. The court’s judgment in the case of RW v. Österreichische Post AG (Case C-154/21) follows the opinion given by CJEU Advocate General Giovanni Pitruzzella in mid-2022 (the Opinion). For background on the case and the Opinion, see this Latham & Watkins blog post.

The CJEU’s final ruling could subject companies to direct GDPR enforcement by DPAs notwithstanding national procedural rules, but may rule against strict liability under the GDPR.

By Tim Wybitul, Myria Saarinen, Isabelle Brams, Irina Vasile, and Amy Smyth

On 27 April 2023 Advocate General of the Court of Justice of the European Union (CJEU) Campos Sánchez-Bordona delivered an opinion in which he approved direct enforcement of the General Data Protection Regulation (GDPR) against companies but rejected

Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.